Stanford Security Seminar

Juan Garay

Abstract:

Existing work on "rational cryptographic protocols" treats
each party (or coalition of parties) as a selfish agent who tries
to maximize its own utility. In this work we propose a
fundamentally different approach better suited to modeling a
protocol under attack from an external entity. Specifically, we
model this situation as a two-party game between a protocol
designer and a (rational) attacker. The goal of the attacker is to
break certain security properties such as correctness or
confidentiality, depending on its utility function, possibly by
corrupting (the machines of) protocol participants; the goal of the
protocol designer is to prevent the attacker from succeeding.

We lay the theoretical groundwork for a study of cryptographic
protocol design in this setting by providing a methodology for
defining the problem within the traditional real/ideal paradigm.
Our framework provides ways of reasoning about important
cryptographic concepts, such as adaptive corruptions or attacks on
communication resources, something not available in previous
game-theoretic treatments of cryptography. We also prove
composition theorems that---for the first time---provide a sound
way for designing rational protocols assuming "ideal communication"
(e.g., broadcast, authenticated channels) and then instantiate
these using standard cryptographic tools.

Finally, we investigate the problem of secure function evaluation
(SFE) in our framework, where the attacker wants to violate
correctness or confidentiality and has to pay for each party it
corrupts. Our results demonstrate how knowledge of the attacker's
incentives can be used to circumvent known impossibility results
for SFE in the presence of arbitrarily malicious attackers.